Articles

NY Financial Regulator to Propose Cybersecurity Regulations

By Andrew Deichler

Published: 5/14/2015

The New York Department of Financial Services, arguably the most influential state financial regulator in the nation, is setting its sights on cybercrime, jumping ahead of Congress and federal regulators in the process.

NYDFS Superintendent Benjamin Lawsky intends to propose cybersecurity regulations for banks and insurance companies before the end of the year, and the implications for corporate treasury and finance likely are profound.

The proposed regulations will largely target security gaps that make banks more vulnerable to attacks. “The one thing we find to be an existential threat right now is whether our financial institutions and systems are adequately protected when it comes to cybersecurity,” Lawsky said.

In April, the Financial Services Department revealed the results of a recent survey it performed on 40 banks. It found that one-third of them did not require outside vendors to inform them of breaches. That runs counter to cybersecurity best practices, experts say.

Corporates and banks that do not carefully vet their vendors often suffer major consequences, as big box retailer Target found out in late 2013. Reuters noted that one of Lawsky’s forthcoming regulations may require banks to require warranties from their vendors about what cybersecurity protections they have.

Another potential regulation may require banks to adopt a multifactor authentication process for allowing employees and customers to log into their systems.

What it means for treasury

It is imperative that banks possess the strongest security possible; corporate treasurers, and their organizations’ money, depend on it. And if they are providing exceptional security, then companies can look to them for help with their own security.

According to Special Agent Jason Truppi of the FBI Cyber Division told AFP, who worked with AFP on its Payments Security Guide, it’s a good idea for treasurers to bring in industry experts with advanced cybersecurity centers to help them identify the biggest threats. Banks are under constant attack, so they are often a good source to turn to.

“They’re seeing everything and anything that’s coming in,” Truppi noted. “In fact, the Federal Reserve has a National Incident Response Team (NIRT). While every Federal Reserve Bank has its own pillar, the NIRT actually covers all of their cyberinfrastructure, and they get about 2 million malicious events a day. And when I say a malicious event, we’re talking potentially scanning on their outward-facing infrastructure, SQL injections, any sort of web application attacks, spear phishing emails, you name it. It could be anything.”

Bill Booth, executive vice president of treasury management for PNC Bank and a member of AFP’s Treasury Advisory Group, agreed that treasurers should be able to talk to their banks about the protections they offer. “Most big banks are offering some level of malware protection right now,” he said. “There may be enhancements that companies can subscribe to that take malware detection a step further. They may require some interaction between the bank and the client in terms of maintenance. But usually those enhanced capabilities are free. There have been great strides made in terms of malware detection.”

Tougher regulations on cybersecurity couldn’t come at a better time for treasuers. According to new data from Juniper Research, the cost of data breaches will increase to $2.1 trillion globally by 2019, nearly four times their estimated cost in 2015. Furthermore, 2020, the average cost of a data breach is expected to exceed $150 million.